Java bug hunter Adam Gowdiak said he reported to Oracle a new Reflection API vulnerability that affects all Java versions. Attackers can exploit this vulnerability to achieve a complete Java security sandbox escape. Oracle has color coded its user prompts; blue for apps signed by a trusted certificate, and yellow for untrusted or expired certificates. Oracle also removed the low security settings in the Java Control Panel; users will no longer be able to opt out of the security features built into Java. Of the 42 vulnerabilities patched in the update, all but three were remotely exploitable.
Source: https://threatpost.com/java-sandbox-bypass-discovered-that-breaks-latest-update/99868/